| View previous topic :: View next topic |
| Author |
Message |
D-LINC
Tux's lil' helper
Joined: 31 Jan 2011
Posts: 135
Location: Alaska
|
 Posted: Wed Apr 11, 2012 2:58 am Post subject: hardened and -FPIC |
 |
|
Hey guys, I'm looking at solving a bug that was reported on an ebuild for my own package:
games-puzzle/gfifteen-0.10.2 fails to compile
My package is a C program, but it also has some hand-crafted assembly code that is used when compiled for the amd64 architecture. (Please, no lectures about premature optimization -- I did it because I enjoy writing amd64 assembly.) These files reference a global variable defined in one of the C files, which was never a problem before. However, some one with a hardened system reports the build dies with this error:
| Code: | randboard.o: relocation R_X86_64_32S against `gf_bsquare_values' can not be used when making a shared object; recompile with -fPIC
randboard.o: could not read symbols: Bad value
|
After some online research, including Gentoo's own document on the subject, I got the impression that what I am supposed to do is make sure that the trouble files are being compiled with -FPIC. Per-source-file compile flags are a bit of a bother, but I suppose this is a reasonable enough request.
However, one thing is confusing me here: If I compile the source code on my (non-hardened) Gentoo system, but pass in the flag -fno-PIC (with CFLAGS="-fno-PIC" ./configure), the software still builds without any problems:
| Code: | $ make clean
test -z "gfifteen" || rm -f gfifteen
rm -f *.o
$ CFLAGS="-fno-PIC" ./configure --prefix=/scratch/cmhoward/gfifteen-test
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking whether gcc and cc understand -c and -o together... yes
checking dependency style of gcc... gcc3
checking for pkg-config... /usr/bin/pkg-config
checking for GTK+ - version >= 3.0.0... yes (version 3.2.3)
checking pkg-config is at least version 0.9.0... yes
checking for DEPS... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking whether __amd64__ is declared... yes
engaging amd64 optimizations
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
$ make
make all-am
make[1]: Entering directory `/scratch/cmhoward/gfifteen'
gcc -DHAVE_CONFIG_H -I. -fno-PIC -MT randboard.o -MD -MP -MF .deps/randboard.Tpo -c -o randboard.o randboard.S
mv -f .deps/randboard.Tpo .deps/randboard.Po
gcc -DHAVE_CONFIG_H -I. -fno-PIC -MT checkwin.o -MD -MP -MF .deps/checkwin.Tpo -c -o checkwin.o checkwin.S
mv -f .deps/checkwin.Tpo .deps/checkwin.Po
gcc -DHAVE_CONFIG_H -I. -DGSEAL_ENABLE -pthread -I/usr/include/gtk-3.0 -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng15 -I/usr/include/libdrm -std=c99 -DGTK_DISABLE_DEPRECATED=1 -Wall -Wextra -pedantic -Wno-unused-parameter -fno-PIC -MT gfifteen-gfifteen.o -MD -MP -MF .deps/gfifteen-gfifteen.Tpo -c -o gfifteen-gfifteen.o `test -f 'gfifteen.c' || echo './'`gfifteen.c
mv -f .deps/gfifteen-gfifteen.Tpo .deps/gfifteen-gfifteen.Po
gcc -DGSEAL_ENABLE -pthread -I/usr/include/gtk-3.0 -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng15 -I/usr/include/libdrm -std=c99 -DGTK_DISABLE_DEPRECATED=1 -Wall -Wextra -pedantic -Wno-unused-parameter -fno-PIC -o gfifteen randboard.o checkwin.o gfifteen-gfifteen.o -pthread -lgtk-3 -lgdk-3 -latk-1.0 -lgio-2.0 -lpangoft2-1.0 -lpangocairo-1.0 -lgdk_pixbuf-2.0 -lcairo-gobject -lcairo -lpango-1.0 -lfreetype -lfontconfig -lgobject-2.0 -lgmodule-2.0 -lgthread-2.0 -lrt -lglib-2.0
make[1]: Leaving directory `/scratch/cmhoward/gfifteen'
|
Wanting to make sure I had all my bases covered, I tried also passing in -fno-PIC -fno-pic -fno-PIE -fno-pie, but this also compiled without any problems. So... I'm left not wanting to "fix" the problem until I'm confident I understand what it is really is.
_________________
frigidcode.com |
|
| Back to top |
|
 |
phajdan.jr
Retired Dev
Joined: 23 Mar 2006
Posts: 1777
Location: Poland
|
| Posted: Wed Apr 11, 2012 9:14 am Post subject: |
|
|
This seems to be autotools-based project. Have you tried using LT_INIT([pic-only disable-static]) and appending -fPIE to CFLAGS in configure.ac, and AM_LDFLAGS = -Wl,-z,relro -Wl,-z,now -pie -no-undefined in Makefile.am?
_________________
http://phajdan-jr.blogspot.com/ |
|
| Back to top |
|
|
zorry
Developer
Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia
|
| Posted: Wed Apr 11, 2012 11:20 pm Post subject: |
|
|
The asm code need to be PIC friendly codeded to compile on hardened.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21876
|
| Posted: Thu Apr 12, 2012 2:01 am Post subject: |
|
|
| To elaborate on the hint from zorry: passing -fPIC when compiling C code will alter the generated assembly in certain ways. The error cited in the first post is because one or more object files contains some assembly that was written in a non-PIC way. Normally, adjusting CFLAGS to include -fPIC is enough to make the compiler write PIC-friendly code, so that is what the error message suggests. In this case, the offending code was not written by the compiler, but by the human. Therefore, the human needs to rewrite the code in a PIC-friendly way, or disable use of PIC on that object. |
|
| Back to top |
|
|
D-LINC
Tux's lil' helper
Joined: 31 Jan 2011
Posts: 135
Location: Alaska
|
| Posted: Wed Apr 18, 2012 3:01 am Post subject: |
|
|
Thanks Hu. As I look into the situation more, it seems that the PIC version of the assembly must refer to global variables by pointing back to correct position in a Global Offset Table, which I think is done in asm through the @GOT modifier. But I'm not sure if it is that simple.
I think I need to find a good guide for writing PIC-friendly amd64 assembly.
_________________
frigidcode.com |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6749
|
| Posted: Wed Apr 18, 2012 6:08 am Post subject: |
|
|
| D-LINC wrote: | | Thanks Hu. As I look into the situation more, it seems that the PIC version of the assembly must refer to global variables by pointing back to correct position in a Global Offset Table, which I think is done in asm through the @GOT modifier. But I'm not sure if it is that simple. |
I think also one register has kept to be fixed (probably to point to that table), at least on entry and exit of functions. This is why it is "simpler" to write this code on amd64 instead of x86 (because it does not hurt so much to loose a register). |
|
| Back to top |
|
|
|
Portage & Programming
